March 04, 2013, 4:35 PM — A security researcher claims to have found five, new vulnerabilities in Oracle's Java technology that could allow a malicious hacker to bypass safety features in the latest version of the Java technology.
If used in concert, the five security holes could enable an attacker to run malicious code outside of the Java "sandbox," a virtual container that is used to run untrusted code. That, according to a post on the Full-Disclosure security discussion list on Monday by Adam Gowdiak of the Polish security firm Security Explorations.
Java is a ubiquitous technology that runs on billions of devices and web pages which has made it a popular target for cyber criminals and otherwise motivated attackers. Recently, exploits for previously unknown ("zero day") holes in Java have been used in targeted attacks against developers at Twitter, Facebook, and Apple, breaching the security of those organizations. An exploit of a separate Java "zero day" is believed to be linked to the hack at security firm Bit9, which resulted in a malicious program being added to Bit9's "whitelist" of approved applications.
Gowdiak said that Security Explorations researchers came upon the five vulnerabilities after Oracle Corp.'s security team, which maintains the Java technology, questioned whether a previously reported issue, dubbed "#54," was actually a security hole. The rejection prompted Gowdiak and others on his team to dig into the part of the Java code that yielded issue #54 to find evidence to support their contention that it was not Java behaving as designed. In the process of rooting around, the crew found an additional five security holes in the same piece of code.
All the vulnerabilities, which were numbered 56 through 60, affect Java Standard Edition (SE) 7. When combined, they can be used to "gain a complete Java security sandbox bypass" in the environment running the vulnerable version of Java. Two of the five new issues, #59 and #60, may also affect Java SE 6.
Gowdiak said two of the vulnerabilities, #57 and #58, break "a couple of security checks" introduced into the Java platform by Oracle in recent months to address other published vulnerabilities.
In an e-mail response to questions from ITworld, Gowdiak said the vulnerabilities are "non-memory corruption vulnerabilities" related to the Java Reflection API, an application programming interface that is used by programs to monitor or alter the runtime behavior of applications running in the Java virtual machine.
"Each hole allows [sic] to gain a little security bypass," Gowdiak wrote. "Alone they are not worth much. But, when combined together, those little security bypasses can be leveraged to a complete Java security sandbox bypass."
Exploiting the holes together is a bit more complicated than other, recent Java holes, but hardly impossible, he said.
Gowdiak has locked horns with Oracle on more than one occasion. In September, Gowdiak and his company called foul after a patch by Oracle introduced a new, remotely exploitable security hole into the platform.
He said the company isn't being consistent in performing security checks within Java and that its staff is "missing certain subtle attack scenarios."
So far, Oracle has confirmed the reception of Security Explorations' report and is investigating it, Gowdiak told ITworld in an e-mail.